Cryptographic Security Characteristics of 802.11 Wireless LAN Access Systems
draft-orr-wlan-security-architectures-00
Network Working Group S. Orr
Internet-Draft A. Grieco
Intended status: Informational Cisco Systems, Inc.
Expires: April 18, 2013 D. Harkins
Aruba Networks
October 15, 2012
Cryptographic Security Characteristics of 802.11 Wireless LAN Access
Systems
draft-orr-wlan-security-architectures-00
Abstract
This note identifies all of the places that cryptography is used in
Wireless Local Area Network (WLAN) architectures, to simplify the
task of selecting the protocols, algorithms, and key sizes needed to
achieve a consistent security level across the entire architecture.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Orr, et al. Expires April 18, 2013 [Page 1]
Internet-Draft WLAN-Security-Architectures October 2012
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used In This Document . . . . . . . . . . . . . . 4
3. Architectures . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Standalone WLAS . . . . . . . . . . . . . . . . . . . . . 5
3.3. Centralized WLAS . . . . . . . . . . . . . . . . . . . . . 5
3.4. Architectural Commonality . . . . . . . . . . . . . . . . 6
4. WTP to Access Controller Service Cryptographic Security . . . 7
5. Client to AAA Service Cryptographic Security . . . . . . . . . 8
5.1. EAP Method . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Pre Shared Key, or Password, Method . . . . . . . . . . . 8
6. Authenticator to AAA Service Cryptographic Security . . . . . 9
7. Wireless Link Layer Cryptographic Security . . . . . . . . . . 10
8. Cryptographic profiles . . . . . . . . . . . . . . . . . . . . 11
8.1. DTLS and TLS . . . . . . . . . . . . . . . . . . . . . . . 11
8.2. X.509 Certificates . . . . . . . . . . . . . . . . . . . . 13
8.3. Link Layer Encryption . . . . . . . . . . . . . . . . . . 14
8.4. AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8.5. IPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 16
9. Security Considerations . . . . . . . . . . . . . . . . . . . 19
9.1. Algorithm Choices . . . . . . . . . . . . . . . . . . . . 19
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
12.1. Normative References . . . . . . . . . . . . . . . . . . . 22
12.2. Informative References . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
Orr, et al. Expires April 18, 2013 [Page 2]
Internet-Draft WLAN-Security-Architectures October 2012
1. Introduction
Wireless LAN Access Systems (WLAS) are complex systems that involve
interworking many technology components defined by various standards
bodies. To ensure that the entire system is secure against
sophisticated, persistent, and well-funded adversaries, each
component MUST use strong cryptography. However, the architectural-
level cryptographic capabilities and relationships between the
Show full document text